Sun ≫ Solaris

aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file.

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Expreserve, as used in vi and ex, allows local users to overwrite arbitrary files and gain root access.

Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg...

admintool in Solaris allows a local user to write to arbitrary files and gain root access.

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate.

Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.

Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.

In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local user with physical access to obtain root access.